Seclog - #137

"The enemy does not care what systems were in scope for testing. Protect your weak points." - The Art of Cyber War

📰 SecLinks

• Executing arbitrary Python code from a comment

• Cloud Build Race Condition Bypass – A subtle race condition in Google Cloud Build's GitHub integration could bypass maintainer review for pull request tests, highlighting critical access control risks in CI/CD systems. Read More

• CrushFTP RCE via DMZ Proxy Flaw – CVE-2025-54309 exploited security check failures in CrushFTP's DMZ proxy, bypassing protections for the internal admin server. Read More

• Hijacking Multi-Agent System Risks – Multi-agent systems (MASs) face failures from unknown components, paralleling distributed system vulnerabilities, enabling new exploit avenues. Read More

• PyPI Phishing Attack Incident Report – A recent campaign targeted PyPI users via email, prompting awareness and initial details about the attack vector. Read More

• AI Prompt Injection Risks and Mitigation – With rising LLM adoption, prompt injection poses new threats; an example illustrates real-world exploitation and defensive strategies. Read More

• Pixel 8 Kernel Debugging via KGDB Guide – Techniques include building custom kernels, breaking into KGDB using ADB or serial connections, and attaching GDB for debugging. Read More

• Semgrep Adoption Strategies and MAS Risks – Introducing Semgrep requires organizational planning for security gains, while multi-agent systems face distributed failure risks akin to traditional infrastructure. [Read More](https://blog.trailofbits.com/2024/01/12/how-to-introduce-semgrep-to-your-organization/?ref=log.rosecurify.com

• TerraMaster NAS Firmware Extraction to RCE – Firmware extraction and PHP analysis led to remote code execution on TerraMaster NAS devices, starting from an IoT security research idea. Read More

• Gemini CLI Silent Code Execution Risk – A silent attack on Gemini CLI combined improper validation, prompt injection, and misleading UX to execute malicious commands during untrusted code inspection. Read More

• Critical Base44 Vulnerability Exposes Private Apps – A flaw in the AI "vibe coding" platform Base44 allowed unauthorized access to users' private applications, identified by Wiz Research. Read More

• PyPI Phishing Attack Incident Report – A recent campaign targeted PyPI users via email, prompting awareness and initial details about the attack vector. Read More

💻 SecGit

• rb-x/penflow: A visual methodology tracking platform tailored for offensive security assessments

• Proton's Lumo AI Assistant Prompt – Defines a cat-like, upbeat AI personality with guidelines for curiosity and respectful user interactions. Explore on GitHub

• Java RMI Vulnerability Scanner Tool – Remote-Method-Guesser identifies and exploits vulnerabilities in Java RMI services efficiently. Explore on GitHub

• Amazon MWAA Remote Code Execution – Details an RCE vulnerability in Amazon Managed Workflows for Apache Airflow (MWAA). Explore on GitHub

• S3DNS: Cloud Bucket Discovery Tool – Acts as a DNS server to identify AWS/GCP/Azure buckets, following CNAMEs and matching patterns during surfing. Explore on GitHub

• CVE.ICU Project Code Release – Hosts the source code for the CVE.ICU initiative, though specifics remain sparse from the highlight. Explore on GitHub

• Pwnat: Firewall/NAT Hole-Punching – Exploits NAT translation tables to connect clients/servers behind separate NATs without third-party tools. Explore on GitHub

For suggestions and any feedback, please contact: securify@rosecurify.com